Control: EC2 instances should not be attached to 'launch wizard' security groups
Description
Ensure EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with 'launch-wizard', in order to enforce using secure and custom security groups that exercise the principle of least privilege.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ec2_instance_no_launch_wizard_security_groupSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ec2_instance_no_launch_wizard_security_group --shareSQL
This control uses a named query:
with launch_wizard_sg_attached_instance as ( select distinct arn as arn from aws_ec2_instance, jsonb_array_elements(security_groups) as sg where sg ->> 'GroupName' like 'launch-wizard%')select i.arn as resource, case when sg.arn is null then 'ok' else 'alarm' end as status, case when sg.arn is null then i.title || ' not associated with launch-wizard security group.' else i.title || ' associated with launch-wizard security group.' end as reason , i.region, i.account_idfrom aws_ec2_instance as i left join launch_wizard_sg_attached_instance as sg on i.arn = sg.arn;